PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
g3ckO
Forum Contributor
Posts: 117 Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:
Post
by g3ckO » Thu Sep 09, 2004 10:23 pm
what wrong in the code below:
Code: Select all
<?php
session_start();
include("database.php");
$name = $_GET['value'];
function extract_user()
{
$query="SELECT * FROM employee WHERE username ='$name'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
$row_array=extract_user();
$Des=$row_array['EmpDes'];
$Sno=$row_array['StaffNo'];
echo"$name";
echo"$Des";
echo"$Sno";
?>
I get the output for
$name but not for
$Des and
$Sno
McGruff
DevNet Master
Posts: 2893 Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland
Post
by McGruff » Thu Sep 09, 2004 11:10 pm
Try:
Code: Select all
echo '<pre>';
print_r($row_array);
echo '</pre>';
..to check what's being returned.
PS: you should escape strings obtained from user input before using them in a query.
Last edited by
McGruff on Sun Aug 07, 2005 11:55 pm, edited 1 time in total.
Breckenridge
Forum Commoner
Posts: 62 Joined: Thu Sep 09, 2004 11:10 pm
Location: Breckenridge, Colorado
Post
by Breckenridge » Thu Sep 09, 2004 11:15 pm
feyd | Please use Code: Select all
tags when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
Try declaring your database variable as a global before selecting from database, this should work:Code: Select all
<?php
session_start();
include("database.php");
$name = $_GET['value'];
function extract_user()
{
global $db; // <<<<<< use your database variable name
$query="SELECT * FROM employee WHERE username ='$name'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
$row_array=extract_user();
$Des=$row_array['EmpDes'];
$Sno=$row_array['StaffNo'];
echo"$name";
echo"$Des";
echo"$Sno";
?>
feyd | Please use Code: Select all
tags when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
g3ckO
Forum Contributor
Posts: 117 Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:
Post
by g3ckO » Thu Sep 09, 2004 11:35 pm
for :
Code: Select all
<?php
echo '<pre>';
print_r($row_array);
echo '</pre>';
?>
nothing happened.
the second suggestion also doesn't work.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 10, 2004 12:34 am
uhm.. $name isn't a variable inside the function.
ol4pr0
Forum Regular
Posts: 926 Joined: Thu Jan 08, 2004 11:22 am
Location: ecuador
Post
by ol4pr0 » Fri Sep 10, 2004 12:35 am
hit me if i am wrong
->$name = $_GET['value'];
shouldnt u just use the global $_GET inside ure function ?
Code: Select all
function extract_user()
{
global $db; // <<<<<< use your database variable name
$query="SELECT * FROM employee WHERE username ='".$_GET['name']."'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
g3ckO
Forum Contributor
Posts: 117 Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:
Post
by g3ckO » Mon Sep 13, 2004 8:54 pm
This is where the value for
$_GET['value'] come from:
Code: Select all
<?php
echo "<a href="leave_detail.php?value=$nama">$nama</a>";?>
And the following code return a blank page.
Code: Select all
<?php
session_start();
include("database.php");
function extract_user()
{
global $conn;
$query="SELECT * FROM employee WHERE username ='".$_GET['value']."'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
$row_array=extract_user();
$Des=$row_array['EmpDes'];
$Sno=$row_array['StaffNo'];
echo"$Des";
echo"$Sno";
?>
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Mon Sep 13, 2004 9:03 pm
first off, it's real real dangerous using $_GET right off like that. Second, make sure the query is running okay with some error checking and debug echo's. Make sure error_reporting is E_ALL and display_errors is on (in php.ini or through htaccess, do not trust in-page setting 100% of the time)
g3ckO
Forum Contributor
Posts: 117 Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:
Post
by g3ckO » Mon Sep 13, 2004 9:53 pm
Hmm.. Ok.. I think I have found the way to solve it..
But can you explain more about this:
feyd wrote: first off, it's real real dangerous using $_GET right off like that.
Why??
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Mon Sep 13, 2004 11:15 pm
Google: [google]sql injection[/google]